After Equifax, do we need to dump Social Security numbers?

The Equifax data breach has led policymakers and citizens alike to ask a startling question: Do we need to figure out a way to stop using Social Security numbers?

Seriously. Is it possible that so many crooks already have our number that there’s no other way to stop the filing of fake federal tax returns or protect our IDs so that fraudsters don’t open up credit cards in our names?

Has the Social Security number outlived its usefulness? That was suggested by cybersecurity coordinator Rob Joyce, who spoke last week at a conference organized by The Washington Post.

The White House is looking at ways to phase out the use of Social Security numbers, Joyce said.

Likewise, former Equifax CEO Richard Smith testified in Washington that another system is needed with the rising numbers of hacks.

There are no details of how this would work. And don’t expect any quick changes, either, even as we grapple with the fallout from the Equifax data breach first announced in early September.

The Equifax story, of course, just grows more annoying for consumers by the minute.

Last week, Equifax bumped up its number and now says hackers may have stolen personal information from up 145.5 million people, or 2.5 million more than initially reported.

The Equifax breach involved Social Security numbers, birth dates, names and addresses. Equifax noted that some driver’s license numbers may have been stolen, too.

It’s not uncommon, of course, for retailers, restaurants and others to revise their numbers upward after the first announcement of a security breach.

Brian Krebs, who writes the blog KrebsOnSecurity.com, said he’d suspect that one day we’ll be told that even more people will turn out to have been compromised as part of the Equifax breach.

“I’ve been telling people to assume you’re compromised,” he said.

Krebs pointed to the example of Yahoo, which had previously said 1 billion of its accounts were hit by a cyberattack in 2013. But last week, Verizon Communications, which acquired Yahoo in June, disclosed that all 3 billion of Yahoo’s user accounts were compromised.

With the Yahoo breach, crooks obtained names, birth dates, phone numbers and passwords, as well as security questions used to reset lost passwords.

Krebs — who tracks what’s for sale via the many online marketplaces that criminals use — said it’s hard to know where some stolen data came from at this point because there have been so many breaches.

He has noticed a lot of scammers this past month who are trying to trick other con artists into thinking they have the “Equifax” data for sale online.

More infuriating news: The Internal Revenue Service somehow saw fit to award a multimillion-dollar no-bid contract to Equifax to prevent fraud in late September. The service is to verify taxpayer identities.

Krebs said the Equifax verification model, which asks personal questions such as information about your past car loans or a mortgage, can be readily found elsewhere online.

Krebs reported in May about another hacking incident involving an Equifax subsidiary, TALX, which provides online payroll and tax services.

Equifax said then that crooks were able to reset a 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering personal questions about those employees.

ID thieves, of course, can use data from W-2 forms to file fraudulent federal income tax returns to engage in tax refund fraud.

“It’s not hard to see why people are getting so cynical about this,” Krebs said. “Equifax does not view consumers as their customers — they’re the product.”

As for trying to move away from Social Security numbers as an ID, it’s a gigantic step for banks, employers and others to totally abandon the practice of using Social Security numbers, which were developed in 1936.

Many see a reason for change.

“We do need to develop a new verification system based on some sort of two-factor authentication that does not include Social Security numbers,” said Mike Litt, consumer advocate for the Public Interest Research Group.

Litt said the organization’s leadership has called for moving away from Social Security numbers for a decade. PIRG experts gave testimony in Washington in 2003 indicating that “overuse and easy access to Social Security numbers helps drive the identity theft epidemic.”

“Fundamentally, this nation needs to wean the private sector of its over-reliance on Social Security numbers as unique identifiers and database keys,” said Edmund Mierzwinski, consumer program director for PIRG.

John Ulzheimer, a credit expert who formerly worked for credit-scoring company FICO, said perhaps Social Security numbers could be restricted to track earnings.

He noted other combinations of data can be used for many financial services.

“Heck, my phone and several of my bank’s apps use my fingerprint for authentication,” Ulzheimer said.

But he acknowledges this might be a tough sell.

“That will be a slow turning ship, though, given how ingrained Social Security numbers have become,” he said.

Susan Tompor is the personal finance columnist for the Detroit Free Press. She can be reached at stompor@freepress.com.